Several fraudulent SSL certificates have been found in the wild issuedby the DigiNotar Certificate Authority, obtained through a securitycompromise of said company. After further updates on this incident, ithas been determined that all of DigiNotar's signing certificates can nolonger be trusted.Debian, like other software distributors and vendors, has decided todistrust all of DigiNotar's CAs. In this update, this is done in thecrypto library (a component of the OpenSSL toolkit) by marking suchcertificates as revoked.Any application that uses said component should now reject certificatessigned by DigiNotar. Individual applications may allow users to overrridethe validation failure. However, making exceptions is highlydiscouraged and should be carefully verified.

Additionally, a vulnerability has been found in the ECDHE_ECDS cipherwhere timing attacks make it easier to determine private keys. TheCommon Vulnerabilities and Exposures project identifies it asCVE-2011-1945.

For the oldstable distribution (lenny), these problems have been fixed inversion 0.9.8g-15+lenny12.

For the stable distribution (squeeze), these problems have been fixed inversion 0.9.8o-4squeeze2.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed inversion 1.0.0e-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/